FireEye NX

Integration version: 8.0

Use Cases

  1. Ingest Trellix Network Security alerts to use them to create Google Security Operations SOAR alerts. Next, in Google Security Operations SOAR, alerts can be used to perform orchestrations with playbooks or manual analysis.
  2. Perform enrichment actions - download alert artifacts using Trellix Network Security agent from Google Security Operations SOAR.

Configure FireEye NX integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name Type Default Value Is Mandatory Description
Instance Name String N/A No Name of the Instance you intend to configure integration for.
Description String N/A No Description of the Instance.
API Root String https://x.x.x.x:<port> Yes API root of Trellix Network Security server.
Username String N/A Yes Username of the Trellix Network Security account.
Password Password N/A Yes Password of the Trellix Network Security account.
Verify SSL Checkbox Checked No If enabled, verifies that the SSL certificate for the connection to the Trellix Network Security server is valid.
Run Remotely Checkbox Unchecked No Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent).

Actions

Ping

Description

Test connectivity to Trellix Network Security with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Parameters

N/A

Run On

The action doesn't run on entities, nor has mandatory input parameters.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful:

Print "Successfully connected to the Trellix Network Security server with the provided connection parameters!"

The action should fail and stop a playbook execution:

If not successful:

Print "Failed to connect to the Trellix Network Security server! Error is {0}".format(exception.stacktrace)

General

Download Alert Artifacts

Description

Download alert artifacts.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Alert UUID String N/A Yes Specify the alert uuid from where we need to download artifacts.
Download Path String N/A Yes Specify where the action should save the files.

Run On

The action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

if status code 200 (is_success = true):

Print "Successfully downloaded Trellix Network Security alert artifacts with alert id {0}!".format(alert uuid)


if status code 200 (is_success = true):

Print "Action wasn't able to download Trellix Network Security alert artifacts with alert id {0}. Reason: File with that path already exists."

if status code 404 (is_success = false) :

Print "Artifacts for alert with uuid {0} were not found. ".format(alert_uuid)

The action should fail and stop a playbook execution:

if fatal error, like wrong credentials, no connection to server, other:

Print "Error executing action "Download Alert Artifacts". Reason: {0}''.format(error.Stacktrace)

General

Add IPS Policy Exception

Description

Add IPS Policy Exception in Trellix Network Security.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Victim IP Subnet String x.x.x.x/24 Yes Specify the IP subnet of the victim that should be used to create a new policy exception. Format: x.x.x.x/xx. Example: 10.0.0.1/24
Interface DDL

ALL

Possible Values

A

B

C

D

ALL

Yes Specify what interface should be used in policy exceptions.
Mode DLL

Block

Possible Values

Block

Unblock

Suppress

Suppress-unblock

Yes Specify the mode that should be used in the policy exception.
Name String N/A No Specify the name for the policy exception. If nothing is specified, the action adds policy exceptions with the following name: PRODUCT_NAME_INTERFACE_MODE .

Run On

The action runs on the IP entity.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:
if status code 200 for at least one entity (is success=true): "Successfully added IPS policy exceptions in Trellix Network Security based on the following entities: {0}!".

If one or more entities didn't work (status code 400) (is success=true): "Action wasn't able to add IPS policy exceptions based on the following entities:\n{0}".

if none of the entities worked: "No IPS policy exception were created".

The action should fail and stop a playbook execution:
if fatal error, like wrong credentials, no connection to server, other: "Error executing action "Add IPS Policy Exception". Reason: {0}''.format(error.Stacktrace)

General

Connectors

FireEye NX - Alerts Connector

Description

Connector ingest Trellix Network Security alert into Google Security Operations SOAR.

Configure FireEye NX - Alerts Connector in Google Security Operations SOAR

For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.

Connector parameters

Use the following parameters to configure the connector:

Parameter Display Name Type Default Value Is Mandatory Description
Product Field Name String Product Name Yes Enter the source field name in order to retrieve the Product Field name.
Event Field Name String eventType Yes Enter the source field name in order to retrieve the Event Field name.
Environment Field Name String "" No

Describes the name of the field where the environment name is stored.

If the environment field isn't found, the environment is the default environment.

Environment Regex Pattern String .* No

A regex pattern to run on the value found in the "Environment Field Name" field.

Default is .* to catch all and return the value unchanged.

Used to allow the user to manipulate the environment field via regex logic.

If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment.

Script Timeout (Seconds) Integer 180 Yes Timeout limit for the python process running the current script.
API Root String https://x.x.x.x:x Yes API root of Trellix Network Security server.
Username String N/A Yes Username of the Trellix Network Security account.
Password Password Yes Password of the Trellix Network Security account.
Fetch Max Hours Backwards Integer 1 No Amount of hours from where to fetch alerts.
Verify SSL Checkbox Checked Yes If enabled, verify the SSL certificate for the connection to the Trellix Network Security server is valid.
Use whitelist as a blacklist Checkbox Unchecked Yes If enabled, dynamic list will be used as a blocklist.
Proxy Server Address String N/A No The address of the proxy server to use.
Proxy Username String N/A No The proxy username to authenticate with.
Proxy Password Password N/A No The proxy password to authenticate with.

Connector Rules

Proxy Support

The connector supports proxy.